On 18 October 2013 12:41, Kevin Chadwick <ma1l1ists@yahoo.co.uk> wrote:
>> I have to join Marc here and say "me too". In my organisation we
>> actually have those controls in place (antivirus/antimalware) in the
>> Internet gateways and we do not disable them for specific traffic
>> flows unless a detailed risk analysis has been done (and approved).
>
> Personally I disagree with this approach as you are making the gateways
> themselves more open to attack adding risk to all rather than the
> targetted,
You can disagree with this approach. However, in my 10+ experience
setting up security gateways for Internet traffic (mostly for
HTTP/FTP/SMTP) I've seen only a few vulnerabilities in the gateways
themselves. Many of the gateways I have deployed are either network
appliances with a Common Criteria certification (see
http://www.commoncriteriaportal.org/), or are deployed using specific
software running in a hardened (again, Common Criteria certified)
operating system configuration. So I'd say the risk of exposing "all"
by running a properly setup gateway is rather low.
In my organisation (and I know we are not alone here), we do not just
rely on the antivirus running on the desktops. We also do rutinary
anti-virus/anti-malware checks on gateways running in a DMZ and block
suspicious files that cannot be analysed (e.g. encrypted files not
using corporate encryption, such as a ZIP file with a password). It's
not just us, it is a common approach followed by many organisations
and is based on the "defence-in-depth" principle.
> especially when antivirus are so easy to fool anyway.
That's also why we analyse incoming files with more than one antivirus
engine. And that's also why we do behavioral analysis (i.e. run
downloaded software in a sanbox) to detect malicious files.
> There are many perfectly legitimate hacking tools that may hit the repo
> that AV will pickup (backtrack distro has many) but also is their any
> danger of av browser plugins and google even blocking debian.org.
If somebody in my organisation is downloading and running hacking
tools, I (with my network/security admin hat on) want to know it.
These tools are only allowed for a specific group of individuals and
under specific conditions, and I expect our gateways to block these
downloads too.
Regards
Javier